[mapguide-internals] MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

Jackie Ng jumpinjackie at gmail.com
Thu Dec 13 05:37:14 PST 2018

There are several driving forces at work right now:

 1. PHP 5.6.x will be end of life (it will no longer receive any bugfixes or
support) at the end of this year

 2. PHP 5.6 to PHP 7.x migration of the MapGuide API binding has been a
difficult and time-consuming process. While I have the basic groundwork in
place for a functional PHP 7 MapGuide API binding (via:
https://github.com/jumpinjackie/mapguide-api-bindings), this binding needs
time in the oven to iron out any problems that will inevitably appear when
we start porting across existing MapGuide PHP applications on top of this
new binding (mapdmin, fusion, ajax viewer, etc)

 3. This has stretched out the release date of the next major version of
MapGuide (3.3) that has already been stretched due to diminishing developer
resources. We cannot ship 3.3 with PHP 5.6.x

 4. But at the same time, there hasn't been a release of MapGuide (major or
minor) since early April this year. So since 3.3 is still some time away,
and 3.1 is still on the PHP 5.6.x series, the very least we can/should do in
the interim is to put out a 3.1.2 release and make sure that its bundled
copy of PHP 5.6 is the last 5.6.x version before EOL (5.6.39). And since PHP
is getting upgraded, we might as well roll in updated Apache and Tomcat as
well. This is the motivation for this RFC.

So what does this mean in terms of risk for MapGuide users who roll 3.1.2
out into production (when it comes out)? They'll be running a version of PHP
that is no longer supported, but you can say the same thing for any
preceding version of MapGuide currently out there.

I guess as long as you lock down the PHP installation on production with a
minimal attack surface (only enable the minimally required settings/features
in PHP so that the MapGuide PHP applications work and nothing more), things
should be fine. If you don't use fusion, mapadmin, or any of the other
supporting MapGuide PHP applications, you can remove PHP altogether and be
business as usual. If something in breaks in your bundled PHP after 31st
December 2018 or new PHP-level security vulnerabilities are discovered after
this date, you're on your own. That's the risky part.

- Jackie

Sent from: http://osgeo-org.1560.x6.nabble.com/MapGuide-Internals-f4209935.html

More information about the mapguide-internals mailing list